Operation confirmation environment
- Firepower 2100 series
- ASA OS 9.16.x
Configuration for Telnet access on Firepower(ASA)
Configuration for Telnet
■Setting local users for authentication
Local user settings for Telnet access authentication.
username <name> password <password>
ciscoasa(config)# username hogeuser password hogepassword
■Setting client IPs that are permitted to connect
This is the setting of the connection source client IP that allows Telnet access.
telnet <source_IP_address> <mask> <source_interface>
source_interface
: Specify thenameif
name of the interface for incoming Telnet access
ciscoasa(config)# telnet 10.1.1.0 255.255.255.0 inside
■Settings for using local users as the authentication method
This setting is for using local users as the authentication method for Telnet access.
aaa authentication telnet console LOCAL
ciscoasa(config)# aaa authentication telnet console LOCAL
Telnet access permission in ACL is not required
You do not need to configure a rule allowing Telnet access in your ACL for Telnet access.
No telnet access to lowest security-level IF
Telnet access to the interface with the lowest security-level is not allowed.
Except when using Telnet inside the VPN tunnel.
Configuration for SSH access on Firepower (ASA)
Configuration for SSH access
■Generate RSA key pair required for SSH
Local user settings for SSH access authentication.
crypto key generate rsa modulus <size>
size
:key size. 512, 768, 1024, 2048, 3072, or 4096; 2048 or higher recommended.
ciscoasa(config)# crypto key generate rsa modulus 2048
■Setting local users for authentication
Local user settings for SSH access authentication.
username <name> password <password>
ciscoasa(config)# username hogeuser password hogepassword
■Setting client IPs that are permitted to connect
This is the setting of the connection source client IP that allows SSH access.
ssh <source_IP_address> <mask> <source_interface>
source_interface
: Specify thenameif
name of the interface for incoming SSH access
ciscoasa(config)# ssh 10.1.1.0 255.255.255.0 inside
■Settings for using local users as the authentication method
This setting is for using local users as the authentication method for SSH access.
aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authentication ssh console LOCAL
SSH permissions in ACL not required
You do not need to configure a rule that allows SSH access in your ACL for SSH access.
Case: “unknown host KEY type” error when accessing SSH
When accessing SSH from a client, “unknown host KEY type
” may be displayed and access may not be possible.
This error occurs when the RSA key pair required for SSH is not generated on Firepower (ASA). If you have not generated a key pair, generate one with the crypto key generate rsa modulus size
command.
Comments